Post navigation

There’s no question that Friday’s WannaCry ransomware attack, which spread like wildfire, was bad. Its ability to spread like a worm by exploiting a Microsoft vulnerability was certainly new ground for a ransomware campaign. But along the way, there’s been a lot of fear and hype. Perspective is in order.

Here’s a look at the latest in Sophos’ investigation, including a recap of how it is protecting customers. From there, we look at how this fits into overall attack trends and how, in the grand scheme of things, this doesn’t represent a falling sky.

Monday updates

Over the weekend, accounts set up to collect ransom payments had received smaller amounts than expected for an attack of this size. But by Monday morning, the balances were on the rise, suggesting that more people were responding to the ransom message Monday. On Saturday, three ransomware-associated wallets had received 92 bitcoin payments totaling $26,407.85 USD. By Sunday, the number between the three wallets was up to $30,706.61 USD. By Monday morning, 181 payments had been made totaling 29.46564365 BTC ($50,504.23 USD).

Analysis seems to confirm that Friday’s attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353), and used strong encryption on files such as documents, images, and videos.

Based on SophosLabs research over the weekend, this doesn’t have the hallmarks of a sophisticated attack. Rather, those involved were able to use sophisticated techniques from the NSA data dump to drive the outbreak.

There were three key factors that caused this attack to spread so quickly:

The inclusion of code that caused the threat to spread across networks as a worm quickly without needing further user action after the initial infection had taken place.

It exploited a vulnerability that many organizations had not patched against. Patching operating systems is the first line of a security strategy, yet many still struggle to achieve regular updates across their environments.

Organizations are still running Windows XP. Microsoft had discontinued support for Windows XP and not issued a patch for this system, but subsequently issued a patch for Windows XP in light of this attack. Microsoft does support legacy versions of Windows, but at extra cost.

Sophos CTO Joe Levy said:

A perfect attack would self-propagate but would do so slowly, randomly and unpredictably. This one was full throttle, but hardly to its detriment. Here we had something that spread like wildfire, but the machines that were impacted were probably still susceptible to secondary attacks because the underlying vulnerability probably hasn’t been patched.

The problem is that exploit and payload are separate. The payload went fast and got stopped, but that’s just one of an infinite number of possibilities that can spread through the unsolved exploit.

Companies still using Windows XP are particularly susceptible to this sort of attack. First launched in 2001, the operating system is now 16 years old and has been superseded by Windows Vista and Windows 7, 8 and 10 upgrades.

It remains to be seen who was behind this attack. Sophos is cooperating with law enforcement to provide any intelligence it can gather about the origins and attack vectors. The company believes initial infections may have arrived via an email with a malicious payload that a user was tricked into opening.

Customer protection

Sophos continues to update protections against the threat. Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.

For updates on the specific strains being blocked, Sophos is continually updating a Knowledge-Base Article on the subject.

The sky isn’t falling

As severe as this attack was, it’s important to note that we’re not looking at a shift in the overall attack trend. This attack represents a merging of old behaviors into a perfect storm. SophosLabs VP Simon Reed said:

This attack demonstrates the opportunistic nature of commercial malware authors to re-use the most powerful of exploit techniques to further their aims, which is ultimately to make money.

In the final analysis, the same advice as always applies for those who want to avoid such attacks.

To guard against malware exploiting Microsoft vulnerabilities:

Stay on top of all patch releases and apply them quickly.

If at all possible, replace older Windows systems with the latest versions.

To guard against ransomware in general:

Back up regularly and keep a recent backup copy off-site.There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

Be cautious about unsolicited attachments.The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.

To pay or not to pay?

Finally, there’s the question of whether victims should pay the ransom or stand their ground. Sophos has mostly taken a neutral stance on the issue. In a perfect world no one wants to pay the bad guys. But depending on an organization’s situation, they may feel they have no choice but to pay to get back to business.

In the case of this attack, paying the ransom doesn’t seem to be helping the victims so far. Therefore, Levy believes paying the WannaCry ransom is ill-advised:

In general, paying is a bad idea unless the organization is truly desperate to get irreplaceable data back and when it is known that the ransom payment works. In this attack, it doesn’t appear to work.

Do we know anything about the initial email used to deliver the exploit? I got lots of (official?) “domain abuse” emails last week, and also an number of fake “overdue” invoices, more than I get in the normal week I’d say..

No, the domains need to be whitelisted. If the malware can contact them, it stops.

It’s been referred to as a ‘kill switch’ – that all the malware author had to do to throw the breaks on for some reason was to register some obscure domains. In the event a security researcher found the domains and registered them. He speculates that its not actually a kill switch but may be a form of sandbox detection (malware wants to run in the real world and hide when it’s in a researcher’s sandbox.)

The thinking goes that in the kind of sandbox environment used by security researchers the domains might appear to be registered when in fact they are not. If the malware can get a response from the unregistered domains it thinks it’s in a sandbox and shuts down.

If you blocklist the domains in your network then you’re turning off the “kill switch”. If you allowlist the domains you’re allowing access to the kill switch.

With respect to Microsoft monthly updates is there anything to be said for a short delay (few hours) before installing them?
I always wonder whether the update system can be hacked – and a delay allows others to suffer first!

Having open port 445 direct to the OS is the biggest issue, no port security on Network or OS firewall . I have read many articles stating this malware was not in emails. The patch for Windows came out 14 March (XP later). 98% of systems exploited were Win7. All this XP stuff is overboard, yes it needs to be replaced already. So one, by having no firewall in place, second by not patching your system. By having good firewall rules in place this could have been stopped.
What no one is taking about is if firewalls blocking port 445 inbound, outside your LAN. That is how this it started. Thousands of systems were exploited using EnternalBlue weeks before, how? By port 445 being open direct to systems. (Security folks on Twitter were all over this.)
It is primarily a failure on the networking side, this is what needs to be talked about, and if you have not patched since March 14, then you are really wrong. It boils down to poor security practices. Why is SMB1​ still allowed on your network. Patching is only a small part in the security layer, let’s expand the talk.